Key Challenges in DRM: An Industry Perspective
Brian A. LaMacchia
Microsoft Corporation
The desires for robust digital rights management (DRM) systems are not new to the commercial world. Indeed, industrial research, development and deployment of systems with DRM aspects (most notably crude copy-control schemes) have a long history. Yet to date the industry has not seen much commercial success from shipping these systems on top of platformsthat support general-purpose computing. There are many factors contributing to this lack of acceptance of current DRM systems, but I see three specific areas of work that are key adoption blockers today and ripe for further academic and commercial research. The lack of widely-available trustworthy computing devices, robust trust management engines and a general-purpose rights expression/authorization language all hamper industrial development and deployment of DRM systems for digital content.
The most pressing concern today for the DRM industry is, by far, the lack of “trustworthy computing devices,” by which I mean computing devices whose behavior is defined, understood andacceptable to all parties in a content transaction. Fear about platform behavior is anathema to the distribution of information, and such fear is rampant today across all segments of potential DRM users. Obviously owners of digital audio or video content will not distribute their works to platforms they consider “potentially hostile,” and the same is true of individual users requested to reveal private information to remote systems. Every content owner needs some way to be convinced that the remote system receiving his or her valuable information will behave as expected, which ultimately means that the platform must have (a) an open, auditable and comprehensible trusted computing base (TCB), and (b) the means to prove the possession and operation of such a TCB remotely to another party. The combination of these two features is what we call an “attestable TCB,” and we can build trustworthy computing devices once we have that core component.
Part of the job of the attestable TCB is to protect and regulate access to a set of resources. Thus, the TCB must be able to grant conditional access to these resources, which leads to the need for a robust, general-purpose trust management engine. Starting with the development of PolicyMaker [1] in 1996 we have seen a succession of active research [2, 3] and commercial deployment [4] of trust management engines. The attractiveness of this approach has grown with the increased complexity of distributed systems as well as the types of resources that need to be protected. In the .NET Framework’s Common Language Runtime, for example, the trust management engine at the core of the policy system is responsible for dynamically associating authorizations with every piece of executable code loaded into a process. Content distribution adds another dimension (or two) to the problem, because the set of resources to be protected is in fact the entire set of content potentially available to the TCB over the network, and the types of activities authorized with respect to any particular piece of content may be arbitrarily precise. There is an obvious tension here between the need to make the policy evaluation engine more complex (to handle the various types of authorizations and resources) and the need to make it open, auditable and comprehensible (to make it part of the attestable TCB). We need to address both requirements for our DRM systems to meet the needs of all content creators and consumers.
The third component required for the success of DRM systems is a “general-purpose” rights expression language – an extensible syntax and semantics for expressing grants of authorizations. The need for a rights expression language goes hand-in-hand with the requirement of trust management engine, for the inputs to the engine are (a) policy specifications, and (b) some “evidence” proving that authorization to use a resource in a particular way has been granted by the owner of that resource to the entity requesting use of it. The need for industry-standard authorization languages is much broader than just the DRM space; as we continue to build larger and larger distributed systems we need lingua franca for communicating authorizations among all networked nodes. The need is especially apparent in the “web services” model of distributed programming as it is expected that any networked node can dynamically discover, learn how to communicate with and access any available service (with proper authorization). There are a number of concurrent ongoing efforts to develop and standardize such languages [5, 6, 7]. The keys to acceptance of any of these languages for DRM systems are a similar to those for the attestable TCB and the TM engine: The language must be sufficiently extensible that any authorization of interest to a content owner may be expressed with appropriate schema extensions for syntax and semantics, and implementations of the language must be attestable (open, auditable, comprehensible and provable) to the same degree as the other components of the DRM core.
Creating attestable TCBs, trust management engines and authorization languages are the three key challenges facing development, deployment and acceptance of DRM systems. In this talk I’ll describe each of these challenges, provide examples of howthe industry is approaching each problem, and discuss how the solutions to each one of them are dependent on the others.
References
[1] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proceedings 1996 IEEE Symposium on Security and Privacy, 164--173, May 1996.
[2] M. Blaze, J. Feigenbaum, and A. D. Keromytis. KeyNote: Trust management for publickey infrastructures. In Proc. Cambridge 1998 Security Protocols International Workshop, 59--63, 1998. See also IETF RFC 2704.
[3] Y.-H.Chu, J. Feigenbaum, B. LaMacchia, P. Resnick and M. Strauss, REFEREE: Trust Management for Web Applications, Proceedings of the Sixth International World Wide Web Conference, Santa Clara, CA, April 1997. Reprinted in Computer Networks and ISDN Systems29 (1997), 953-964.
[4] B. LaMacchia, S. Lange, M. Lyons, R. Martin and K. Price, .NET Framework Security, Addison-Wesley, April 2002, 45—119.
[5] “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML),” P. Hallam-Baker and E. Maler, eds. OASIS XML-Based Security Services Technical Committee, May 2002.
[6] “OASIS eXtensible Access Control Markup Language (XACML),” S. Godik, T. Moses, eds. OASIS OASIS eXtensible Access Control MarkupLanguage Technical Committee, Working Draft, September 2002.
[7] “eXtensible Rights Markup Language (XrML) 2.1,” submission by ContentGuard to the OASIS Rights Language Technical Committee, May 2002. Available at